WebApp Sec: RE: Windows 2003 Server Hardening

["Aleksander P. Czarnowski" <alekc () avet com pl>]

> Would anyone happen to have a document or recommendations for hardening a
> Windows 2003 Server public facing Web/FTP/Mail server?
Many publications does not look at this issues at architecture level but rather focus on base system and particular 
server application hardening.

First of all I wouldn't put all those services on one host. Secondly I would reconsider using FTP - while IIS FTP has a 
very good record in terms of security, other popular Windows and Unix FTP servers has been vulnerable to many buffer 
overflow / format string attacks in the past. 

Secondly I would advise to implement strong network traffic filtering both inbound and outbound (which can limit risk 
of penetrating system by script kiddies who are not able to rewrite shellcode to do something else than reverse shell).

Also snort - in proper configuration, even installed on the server itself - can be very good add-on.

Keep in mind that there are few interesting HIDS solutions available for Win32 systems that extend VS /GS cookie based 
stack protection and DEP mechanism. Coming down to code security it is important to review (web)applications that are 
installed and available to users. Such approach in case of MS IIS technology has been demonstrated here:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/THCMCh21.asp

It demonstrates for example use of ILDASM for binary code auditing created with .NET.

Just few thoughts
Best Regards,
Aleksander Czarnowski
AVET INS